A Capehart Scatchard Blog

As part of its increased enforcement efforts, the Office of Civil Rights of the US Department of Health and Human Services (OCR) recently entered into a $400,000 settlement with a Rhode Island hospital for failure to update its business associate agreement as required under the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA). This settlement brings the total of HIPAA security and privacy violation fines/settlements to more than $20 million this year, a dramatic increase from $6.2 million in all of 2015.

In short, in late 2012 the hospital alerted federal authorities that it lost unencrypted backup tapes containing ultrasounds for over 14,000 women, which included patient names, social security numbers, and dates of birth.

The hospital’s information technology and information security services were conducted by its parent company. The parent company and the hospital, a subsidiary, were utilizing a business associate agreement effective March 15, 2005. This agreement was not updated until August 28, 2015, and thus did not include revisions mandated under the HIPAA Omnibus Final Rule.

Specifically, the $400,000 settlement, effectively a fine, was due to the hospital’s failure to “obtain satisfactory assurances as required under HIPAA,” in the form of a written business associate agreement that the parent company would safeguard the hospital’s PHI. An additional $150,000 was paid to the Massachusetts Attorney General’s Office in response to a state investigation relating to the underlying data breach.

“This case illustrates the vital importance of reviewing and updating as necessary business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” said OCR Director Jocelyn Samuels. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”

With the significant increase in data theft, it is clear that the OCR is ramping up its enforcement efforts and accompanying fines. This is to ensure that covered entities and business associates not only employ the appropriate physical and digital safeguards to properly protect patients’ PHI, but that they also keep abreast of changing HIPAA requirements. This guarantees that their written agreements reflect current regulation. As such, covered entities must be vigilant and regularly reassess their business associate agreements, and other agreements, with vendors, subcontractors, and others that may qualify as business associates, to ensure compliance with changes to HIPAA.

Questions regarding this article may be sent to Publications@Capehart.com.

It is a story often heard by health care lawyers. Clients come into the office regarding a dispute with their partners, their investors, a shareholder, or a party interested in a venture. They tell the lawyer how they have an agreement (shareholder, operating or a partnership agreement). The client feels like it is all “black […]

Health care is “under innovation.” No matter how health care is reformed, new and old arrangements will remain highly regulated, with new technology and collaborations moving faster than the law can adapt. Outdated regulations, some not amended in over two decades, may seem no longer relevant, but regulators won’t hesitate to use them. Innovators in health […]

New Jersey prescribers receiving almost anything of value from a pharmaceutical manufacturer, must ensure that such compensation complies with a new state regulation that took effect January 16, 2018. The rule, Limitations on and Obligations Associated with Acceptance of Compensation from Pharmaceutical Manufacturers by Prescribers, was adopted as one of the last acts of the […]

On January 12, 2018, the New Jersey Legislature signed the “One Room” bill (A-4995/S-278) into law. The “One Room” law is set to bring much needed relief to surgical facilities in the State of New Jersey. Under the new law, surgical practices may apply for licensure as ambulatory care facilities with the New Jersey Department […]

The U.S. Attorney’s Office for the District of New Jersey reorganized its health care practice in 2010 and created a stand-alone Health Care and Government Fraud Unit to handle both criminal and civil investigations and prosecutions of health care fraud offenses. Since then, that office has recovered more than $1.36 billion in health care and […]

Archives

Beyond the Blog

Connect with Capehart Scatchard

The content of this blog is for informational purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances. You should consult a lawyer concerning your specific situation and any specific legal questions you may have.